Rev cgi server and SSL
I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Rev cgi server and SSL
Browsers will warn of certificates they do not have in their repertoire. If you want to cater for the general population your best bet, to avoid the warnings, is to get a certificate from a known vendor (ie: known to the browsers). If the audience is limited, you can generate a certificate and get them to install it in their browsers. Cheers, Luis. On 11 Apr 2008, at 08:01, Richard Miller wrote: I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Rev cgi server and SSL
Hi Luis, I wish this was the problem, but I am using a very well known vendor one of the biggest on the Internet. Seems the problem lies with the sending to an http address. Richard On Apr 11, 2008, at 3:36 AM, Luis wrote: Browsers will warn of certificates they do not have in their repertoire. If you want to cater for the general population your best bet, to avoid the warnings, is to get a certificate from a known vendor (ie: known to the browsers). If the audience is limited, you can generate a certificate and get them to install it in their browsers. Cheers, Luis. On 11 Apr 2008, at 08:01, Richard Miller wrote: I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Rev cgi server and SSL
What exactly do you mean by 'The server is not SSL protected.'? Is the certificate installed on the server? Apple Server Admin pdf - http://manuals.info.apple.com/en/Server_Administration_v10.5.pdf These might be of help: https://support.comodo.com/index.php? _m=knowledgebase_a=viewarticlekbarticleid=901nav=0,1 Nice background - http://www.afp548.com/Articles/web/sslcert.html Cheers, Luis. On 11 Apr 2008, at 09:03, Richard Miller wrote: Hi Luis, I wish this was the problem, but I am using a very well known vendor one of the biggest on the Internet. Seems the problem lies with the sending to an http address. Richard On Apr 11, 2008, at 3:36 AM, Luis wrote: Browsers will warn of certificates they do not have in their repertoire. If you want to cater for the general population your best bet, to avoid the warnings, is to get a certificate from a known vendor (ie: known to the browsers). If the audience is limited, you can generate a certificate and get them to install it in their browsers. Cheers, Luis. On 11 Apr 2008, at 08:01, Richard Miller wrote: I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Rev cgi server and SSL
There is no certificate on the server. I had not installed one and didn't think I needed to. The web page is secure and the connection from the server to the payment gateway is secure. I don't think there is actually a security issue here, but Firefox and Safari don't know this, so they report a potential problem (enough to scare customers). I could install a certificate on the server, but it's somewhat problematic because I already use the IP address of the server throughout several custom Rev programs. My understanding is that by installing a certificate on the server, I will not be able to refer to the server by its IP address, but would instead be forced to refer to it by a domain name (meaning, I'd have to change a lot of previous programming). I'd like to avoid that. Richard On Apr 11, 2008, at 4:55 AM, Luis wrote: What exactly do you mean by 'The server is not SSL protected.'? Is the certificate installed on the server? Apple Server Admin pdf - http://manuals.info.apple.com/en/Server_Administration_v10.5.pdf These might be of help: https://support.comodo.com/index.php? _m=knowledgebase_a=viewarticlekbarticleid=901nav=0,1 Nice background - http://www.afp548.com/Articles/web/sslcert.html Cheers, Luis. On 11 Apr 2008, at 09:03, Richard Miller wrote: Hi Luis, I wish this was the problem, but I am using a very well known vendor one of the biggest on the Internet. Seems the problem lies with the sending to an http address. Richard On Apr 11, 2008, at 3:36 AM, Luis wrote: Browsers will warn of certificates they do not have in their repertoire. If you want to cater for the general population your best bet, to avoid the warnings, is to get a certificate from a known vendor (ie: known to the browsers). If the audience is limited, you can generate a certificate and get them to install it in their browsers. Cheers, Luis. On 11 Apr 2008, at 08:01, Richard Miller wrote: I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Rev cgi server and SSL
You'd need the certificate on the server: The browsers are complaining that the data is sent to a server that is not 'certified'. You could opt for clients to install the certificate as part of the list their browsers have (essentially 'approving' the server) or opt for 'Do not ask again' when they get the warning. You should still be able to refer to the server by its IP address, this is what the Domain will resolve to anyway, so there needn't be a need to change your code. I'd got the Domain name route: This will cover you in case your server's IP address changes in the future. Cheers, Luis. On 11 Apr 2008, at 11:52, Richard Miller wrote: There is no certificate on the server. I had not installed one and didn't think I needed to. The web page is secure and the connection from the server to the payment gateway is secure. I don't think there is actually a security issue here, but Firefox and Safari don't know this, so they report a potential problem (enough to scare customers). I could install a certificate on the server, but it's somewhat problematic because I already use the IP address of the server throughout several custom Rev programs. My understanding is that by installing a certificate on the server, I will not be able to refer to the server by its IP address, but would instead be forced to refer to it by a domain name (meaning, I'd have to change a lot of previous programming). I'd like to avoid that. Richard On Apr 11, 2008, at 4:55 AM, Luis wrote: What exactly do you mean by 'The server is not SSL protected.'? Is the certificate installed on the server? Apple Server Admin pdf - http://manuals.info.apple.com/en/Server_Administration_v10.5.pdf These might be of help: https://support.comodo.com/index.php? _m=knowledgebase_a=viewarticlekbarticleid=901nav=0,1 Nice background - http://www.afp548.com/Articles/web/sslcert.html Cheers, Luis. On 11 Apr 2008, at 09:03, Richard Miller wrote: Hi Luis, I wish this was the problem, but I am using a very well known vendor one of the biggest on the Internet. Seems the problem lies with the sending to an http address. Richard On Apr 11, 2008, at 3:36 AM, Luis wrote: Browsers will warn of certificates they do not have in their repertoire. If you want to cater for the general population your best bet, to avoid the warnings, is to get a certificate from a known vendor (ie: known to the browsers). If the audience is limited, you can generate a certificate and get them to install it in their browsers. Cheers, Luis. On 11 Apr 2008, at 08:01, Richard Miller wrote: I have a web page that is secured by an SSL certificate. Users access it by going to https://mywebpage.html;. This page sends a cgi request (containing credit card information) to my MacMini server, located elsewhere. The server is not SSL protected. The credit card data is then processed via a Rev SSL routine to a secure payment gateway, then immediately discarded. Is there any security issues with this approach? Do I need to get an SSL certificate for the server? I've noticed that Firefox and Safari post a warning message when one hits the Submit button on the web page, saying that while the web page is secure, the data is being sent to a potentially unsafe location (presumably because the form is directed to an http address). Internet Explorer doesn't show any message. Would it be worthwhile to get an SSL certificate for the server? Thanks. Richard Miller ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and
Re: Rev cgi server and SSL
Richard- Aside from the technical issues, if I were on the customer side of things and in the middle of processing a credit card transaction my browser gave me a security warning, I would immediately abort the process and never go back, resulting in a lost sale for you and your client. -- Mark Wieder [EMAIL PROTECTED] ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
